I can use any sort of console in Firebug, Developer Tools, etc. to access any Javascript included in a page and make calls to Javascript functions without a problem.

If, on a SharePoint page, I use the Client Object Model, doesn't this pose a massive threat to the SharePoint site by exposing service calls that allow you to completely interrogate and manipulate SharePoint objects?

What's stopping a visitor from firing up a console in the browser and doing damage?

1 Answer
1

SharePoint permissions. If a user does not have permissions to view a list, they won't be able to retrieve it. If a user does not have permissions to delete a list item, they won't be able to delete it.

While this does expose the site to CSOM code, the idea is users should only have permissions to perform actions they should have access to.